[v3,07/11] arm64: bti: Provide Kconfig for kernel mode BTI

Message ID	20200506195138.22086-8-broonie@kernel.org (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=ghDP=6U=lists.infradead.org=linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 08636206B8 From: Mark Brown <broonie@kernel.org> To: Vincenzo Frascino <Vincenzo.Frascino@arm.com>, Will Deacon <will@kernel.org>, Catalin Marinas <catalin.marinas@arm.com> Subject: [PATCH v3 07/11] arm64: bti: Provide Kconfig for kernel mode BTI Date: Wed, 6 May 2020 20:51:34 +0100 Message-Id: <20200506195138.22086-8-broonie@kernel.org> In-Reply-To: <20200506195138.22086-1-broonie@kernel.org> References: <20200506195138.22086-1-broonie@kernel.org> MIME-Version: 1.0 summary: Content analysis details: (-5.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at https://www.dnswl.org/, high trust [198.145.29.99 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 DKIMWL_WL_HIGH DKIMwl.org - Whitelisted High sender Precedence: list Cc: Kees Cook <keescook@chromium.org>, Daniel Borkmann <daniel@iogearbox.net>, Jean-Philippe Brucker <jean-philippe.brucker@arm.com>, Mark Brown <broonie@kernel.org>, Amit Kachhap <amit.kachhap@arm.com>, Dave Martin <Dave.Martin@arm.com>, linux-arm-kernel@lists.infradead.org Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org> Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org
Series	arm64: BTI kernel and vDSO support \| expand [v3,00/11] arm64: BTI kernel and vDSO support [v3,01/11] arm64: Document why we enable PAC support for leaf functions [v3,02/11] arm64: bti: Support building kernel C code using BTI [v3,03/11] arm64: asm: Override SYM_FUNC_START when building the kernel with BTI [v3,04/11] arm64: Set GP bit in kernel page tables to enable BTI for the kernel [v3,05/11] arm64: bpf: Annotate JITed code for BTI [v3,06/11] arm64: mm: Mark executable text as guarded pages [v3,07/11] arm64: bti: Provide Kconfig for kernel mode BTI [v3,08/11] arm64: asm: Provide a mechanism for generating ELF note for BTI [v3,09/11] arm64: vdso: Annotate for BTI [v3,10/11] arm64: vdso: Force the vDSO to be linked as BTI when built for BTI [v3,11/11] arm64: vdso: Map the vDSO text with guarded pages when built for BTI

Message ID

20200506195138.22086-8-broonie@kernel.org (mailing list archive)

State

New, archived

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 08636206B8
From: Mark Brown <broonie@kernel.org>
To: Vincenzo Frascino <Vincenzo.Frascino@arm.com>,
 Will Deacon <will@kernel.org>, Catalin Marinas <catalin.marinas@arm.com>
Subject: [PATCH v3 07/11] arm64: bti: Provide Kconfig for kernel mode BTI
Date: Wed,  6 May 2020 20:51:34 +0100
Message-Id: <20200506195138.22086-8-broonie@kernel.org>
In-Reply-To: <20200506195138.22086-1-broonie@kernel.org>
References: <20200506195138.22086-1-broonie@kernel.org>
MIME-Version: 1.0
Precedence: list
Cc: Kees Cook <keescook@chromium.org>, Daniel Borkmann <daniel@iogearbox.net>,
 Jean-Philippe Brucker <jean-philippe.brucker@arm.com>,
 Mark Brown <broonie@kernel.org>, Amit Kachhap <amit.kachhap@arm.com>,
 Dave Martin <Dave.Martin@arm.com>, linux-arm-kernel@lists.infradead.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org

Series

arm64: BTI kernel and vDSO support | expand

Commit Message

Mark Brown May 6, 2020, 7:51 p.m. UTC

Now that all the code is in place provide a Kconfig option allowing users
to enable BTI for the kernel if their toolchain supports it, defaulting it
on since this has security benefits. This is a separate configuration
option since we currently don't support secondary CPUs that lack BTI if
the boot CPU supports it.

Code generation issues mean that current GCC 9 versions are not able to
produce usable BTI binaries so we disable support for building with GCC
versions prior to 10, once a fix is backported to GCC 9 the dependencies
will be updated.

Signed-off-by: Mark Brown <broonie@kernel.org>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
---
 arch/arm64/Kconfig | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 6f199d8146d4..f3de1c115fc0 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1610,6 +1610,24 @@  config ARM64_BTI
 	  BTI, such binaries can still run, but you get no additional
 	  enforcement of branch destinations.
 
+config ARM64_BTI_KERNEL
+	bool "Use Branch Target Identification for kernel"
+	default y
+	depends on ARM64_BTI
+	depends on ARM64_PTR_AUTH
+	depends on CC_HAS_BRANCH_PROT_PAC_RET_BTI
+	depends on !CC_IS_GCC || GCC_VERSION >= 100000
+	depends on (!FUNCTION_GRAPH_TRACER || DYNAMIC_FTRACE_WITH_REGS)
+	help
+	  Build the kernel with Branch Target Identification annotations
+	  and enable enforcement of this for kernel code. When this option
+	  is enabled and the system supports BTI all kernel code including
+	  modular code must have BTI enabled.
+
+config CC_HAS_BRANCH_PROT_PAC_RET_BTI
+	# GCC 9 or later, clang 8 or later
+	def_bool $(cc-option,-mbranch-protection=pac-ret+leaf+bti)
+
 config ARM64_E0PD
 	bool "Enable support for E0PD"
 	default y

[v3,07/11] arm64: bti: Provide Kconfig for kernel mode BTI

Commit Message

Patch